Page 1 of 2
Can PHP call itself?
Posted: Thu Oct 14, 2004 5:00 pm
by tchenowe
Here is what I want to do. I want to enter php code into a text area and have it posted to a PHP script. The script takes the text area code, sends it to the PHP interpreter and processes the results. Anyone have a pointer to a web sight that talks about doing this? Thanks for your help.
Posted: Thu Oct 14, 2004 5:05 pm
by John Cartwright
<form name="formname" method="POST" action="phppage.php">
notice the action
Posted: Thu Oct 14, 2004 5:30 pm
by tchenowe
Thanks, but I know how to post information to a php script (phppage.php). What I want to do is post an actual php code snippet (through a text area) to a script (say phppage.php) and have the script send the code snippet to the php interpreter and then process the results it get back from the interpreter.
Posted: Thu Oct 14, 2004 5:35 pm
by potsed
wouldnt that have huge security issues??
Posted: Thu Oct 14, 2004 5:43 pm
by kettle_drum
You can do with eval() but as potsed said, if you dont check this code and make sure its completely safe and posted from a highly trusted source then it poses a HUGE security risk.
Posted: Thu Oct 14, 2004 6:34 pm
by John Cartwright
potsed wrote:wouldnt that have huge security issues??
Boy would I have lots of fun with this

You are right it is a MAJOR security issue.
Posted: Thu Oct 14, 2004 7:53 pm
by tchenowe
eval()...thanks. Yes it is a secuity issue. However, it will also make a great training tool. My students will be able to input code and get immediate feedback as to problems with the code. Sending the snippet to the interpreter will make my life easier, since now all my script needs to do is evaluate the results and provide the appropriate feedback to my students. However, the security issue is a point well taken. I will need to deal with this. Thanks for all your input. Any additional comments would be welcomed. In fact, specific attacks my script would need to guard against would be helpful. I can think of some, but I'm sure not all of the ways this could be exploited.
Posted: Thu Oct 14, 2004 8:19 pm
by John Cartwright
I would mainly be concerned with things like
[php_man]unlink[/php_man]
Posted: Thu Oct 14, 2004 8:37 pm
by tchenowe
Yes, unlink would be dangerous. But if I understand this correctly, as long as the username IIS is running under does not have any write permissions then unlink will fail (permission denied). Is this correct.?
Posted: Thu Oct 14, 2004 8:39 pm
by John Cartwright
Not quite sure, I believe you are correct
but things like never ending loops can serious reduce your server performance. too many security risks to name..
Posted: Thu Oct 14, 2004 8:49 pm
by tchenowe
True....I would need to parse the input and look for infinite loops before I used the eval. Also, it looks like eval does not return error messages, it only returns false if the code snippet fails. I'll need to look into that also.
Posted: Fri Oct 15, 2004 3:39 am
by twigletmac
Maybe the textarea could write to a file (one for each student) that is then included into another file to be run? You still have issues with security (preventing execution if certain functions are used would be an idea) but you do get the error messages you would normally get.
Mac
Posted: Fri Oct 15, 2004 5:50 am
by kettle_drum
The security risks are a lot more than unlink. You can do ANYTHING. You can exec() programs, or write a script to a file to be run, you could insert things into files/databases. Once you have the abilty to write and run scripts on a system you can do some damage.
Posted: Fri Oct 15, 2004 5:53 am
by m3mn0n
This is WAY to much of a security threat to put online and publicly available.
But if this is a local intranet, or a password protected area on an online site, then why not.
Posted: Fri Oct 15, 2004 6:20 am
by kettle_drum
But you must still assume that all users are out to get you and are stupid - a trusted user could do just as much damage by accident as a hacker could.